1. 11 Jan, 2017 1 commit
  2. 12 Dec, 2016 3 commits
    • Benjamin Tissoires's avatar
      HID: fix missing irq field · 8cd16166
      Benjamin Tissoires authored
      commit ba18a931
       ("Revert "HID: i2c-hid: Add support for ACPI GPIO
      interrupts"") removed the need for storing the irq in struct i2c_hid.
      But then commit de3c99488609 ("HID: i2c-hid: Disable IRQ before freeing
      buffers") forgot to update the location of the irq.
      Fix this by using the actual I2C client irq.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
    • Jiri Kosina's avatar
      HID: i2c-hid: fix build · ba1660f1
      Jiri Kosina authored
      Add a forgotten include that I've by mistake omitted when resolving
      merge conflict in ead0687fe30 ("HID: i2c-hid: support regulator power
      Fixes: ead0687fe30 ("HID: i2c-hid: support regulator power on/off")
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
    • João Paulo Rechi Vita's avatar
      HID: i2c-hid: Disable IRQ before freeing buffers · d46ddc59
      João Paulo Rechi Vita authored
      The HID report buffers that are initially allocated on i2c_hid_probe()
      might not be big enough to hold the HID reports from a specific device,
      in which case they will be freed and new ones will be allocated in
      i2c_hid_start(), at point which the device's report size is known. But
      at this point ihid->irq is already running, and may call
      i2c_hid_get_input() which passes ihid->inbuf to i2c_master_recv(). Since
      this handler runs in a separate thread, ihid->inbuf may be freed at this
      very moment, and i2c_master_recv() will write on memory which may be
      already owned by a different part of the kernel, corrupting its data.
      This problem has been observed on an Asus UX360UA laptop which has an
      I2C touchpad, and results in a complete system freeze or an unusable
      slowness with a lof of "BUG: unable to handle kernel paging request at
      <address>" warnings. Enabling SLUB debugging shows a use-after-free
      warning on memory allocated in i2c_hid_alloc_buffers() and freed in
      BUG kmalloc-64 (Not tainted): Poison overwritten
      Disabling lock debugging due to kernel taint
      INFO: 0xffff880264083273-0xffff88026408329e. first byte 0x0 instead of 0x6b
      INFO: Allocated in i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid] age=35793 cpu=2 pid=430
      	i2c_hid_alloc_buffers+0x25/0xa0 [i2c_hid]
      	i2c_hid_probe+0x12f/0x5e0 [i2c_hid]
      INFO: Freed in i2c_hid_free_buffers+0x16/0x60 [i2c_hid] age=7552 cpu=1 pid=1473
      	i2c_hid_free_buffers+0x16/0x60 [i2c_hid]
      	i2c_hid_start+0x2a9/0x2df [i2c_hid]
      	mt_probe+0x160/0x22e [hid_multitouch]
      	hid_device_probe+0xd7/0x150 [hid]
      	__hid_register_driver+0x53/0x90 [hid]
      INFO: Slab 0xffffea0009902080 objects=20 used=20 fp=0x          (null) flags=0x17fff8000004080
      INFO: Object 0xffff880264083260 @offset=4704 fp=0x          (null)
      Bytes b4 ffff880264083250: 8d e6 fe ff 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a  ........ZZZZZZZZ
      Object ffff880264083260: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
      Object ffff880264083270: 6b 6b 6b 00 00 00 00 00 00 00 00 00 00 00 00 00  kkk.............
      Object ffff880264083280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Object ffff880264083290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      Redzone ffff8802640832a0: bb bb bb bb bb bb bb bb                          ........
      Padding ffff8802640833e0: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
      CPU: 1 PID: 1503 Comm: python3 Tainted: G    B           4.4.21+ #10
      Hardware name: ASUSTeK COMPUTER INC. UX360UA/UX360UA, BIOS UX360UA.200 05/05/2016
       0000000000000086 00000000622d48a2 ffff88026061ba38 ffffffff813f6044
       ffff880264082010 ffff880264083260 ffff88026061ba78 ffffffff811e8eab
       0000000000000008 ffff880200000001 ffff88026408329f ffff88026a007700
      Call Trace:
       [<ffffffff813f6044>] dump_stack+0x63/0x8f
       [<ffffffff811e8eab>] print_trailer+0x14b/0x1f0
       [<ffffffff811e94c1>] check_bytes_and_report+0xc1/0x100
       [<ffffffff811e96c4>] check_object+0x1c4/0x240
       [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
       [<ffffffff811e9b44>] alloc_debug_processing+0x104/0x180
       [<ffffffff811eb7be>] ___slab_alloc+0x41e/0x460
       [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
       [<ffffffff8124590b>] ? __getblk_gfp+0x2b/0x60
       [<ffffffff8129b969>] ? ext4_getblk+0xa9/0x190
       [<ffffffff811eb820>] __slab_alloc+0x20/0x40
       [<ffffffff811ed320>] __kmalloc+0x210/0x280
       [<ffffffff81293fde>] ? ext4_htree_store_dirent+0x3e/0x120
       [<ffffffff812c1602>] ? ext4fs_dirhash+0xc2/0x2a0
       [<ffffffff81293fde>] ext4_htree_store_dirent+0x3e/0x120
       [<ffffffff812a4f47>] htree_dirblock_to_tree+0x187/0x1b0
       [<ffffffff812a5fd2>] ext4_htree_fill_tree+0xb2/0x2e0
       [<ffffffff811ebb7a>] ? kmem_cache_alloc_trace+0x1fa/0x220
       [<ffffffff81293e45>] ? ext4_readdir+0x775/0x8b0
       [<ffffffff81293cb1>] ext4_readdir+0x5e1/0x8b0
       [<ffffffff81221c82>] iterate_dir+0x92/0x120
       [<ffffffff81222118>] SyS_getdents+0x98/0x110
       [<ffffffff81221d10>] ? iterate_dir+0x120/0x120
       [<ffffffff818157f2>] entry_SYSCALL_64_fastpath+0x16/0x71
      FIX kmalloc-64: Restoring 0xffff880264083273-0xffff88026408329e=0x6b
      FIX kmalloc-64: Marking all objects used
      Signed-off-by: default avatarJoão Paulo Rechi Vita <jprvita@endlessm.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
  3. 28 Nov, 2016 1 commit
  4. 10 Nov, 2016 1 commit
  5. 14 Oct, 2016 2 commits
  6. 21 Jun, 2016 1 commit
    • Guohua Zhong's avatar
      HID: i2c-hid: set power sleep before shutdown · d9f448e3
      Guohua Zhong authored
      Add i2c_hid_shutdown for i2c-hid driver to send suspend cmd & free
      irq before device shutdown.
      Some HW design (i.e. Umaro, a chromebook model) is that the power to
      i2c hid device won't down after device shutdown. Also the i2c-hid driver
      do not send suspend cmd to the hid i2c device and free its irq before
      shutdown.So if We touch the touchscreen or some other i2c hid device,
      the power consumtion will be go up even when the device is in shutdown
      Though the root cause maybe a HW issue. But it seems that it is a
      good pratice to set power sleep for i2c-hid device before shutdown.
      Signed-off-by: default avatarGuohua Zhong <ghzhong@yifangdigital.com>
      Acked-By: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
  7. 06 Jun, 2016 1 commit
  8. 15 Mar, 2016 1 commit
    • Dmitry Torokhov's avatar
      HID: i2c-hid: fix OOB write in i2c_hid_set_or_send_report() · 3b654288
      Dmitry Torokhov authored
      Even though hid_hw_* checks that passed in data_len is less than
      HID_MAX_BUFFER_SIZE it is not enough, as i2c-hid does not necessarily
      allocate buffers of HID_MAX_BUFFER_SIZE but rather checks all device
      reports and select largest size. In-kernel users normally just send as much
      data as report needs, so there is no problem, but hidraw users can do
      whatever they please:
      BUG: KASAN: slab-out-of-bounds in memcpy+0x34/0x54 at addr ffffffc07135ea80
      Write of size 4101 by task syz-executor/8747
      CPU: 2 PID: 8747 Comm: syz-executor Tainted: G    BU         3.18.0 #37
      Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
      Call trace:
      [<ffffffc00020ebcc>] dump_backtrace+0x0/0x258 arch/arm64/kernel/traps.c:83
      [<ffffffc00020ee40>] show_stack+0x1c/0x2c arch/arm64/kernel/traps.c:172
      [<     inline     >] __dump_stack lib/dump_stack.c:15
      [<ffffffc001958114>] dump_stack+0x90/0x140 lib/dump_stack.c:50
      [<     inline     >] print_error_description mm/kasan/report.c:97
      [<     inline     >] kasan_report_error mm/kasan/report.c:278
      [<ffffffc0004597dc>] kasan_report+0x268/0x530 mm/kasan/report.c:305
      [<ffffffc0004592e8>] __asan_storeN+0x20/0x150 mm/kasan/kasan.c:718
      [<ffffffc0004594e0>] memcpy+0x30/0x54 mm/kasan/kasan.c:299
      [<ffffffc001306354>] __i2c_hid_command+0x2b0/0x7b4 drivers/hid/i2c-hid/i2c-hid.c:178
      [<     inline     >] i2c_hid_set_or_send_report drivers/hid/i2c-hid/i2c-hid.c:321
      [<ffffffc0013079a0>] i2c_hid_output_raw_report.isra.2+0x3d4/0x4b8 drivers/hid/i2c-hid/i2c-hid.c:589
      [<ffffffc001307ad8>] i2c_hid_output_report+0x54/0x68 drivers/hid/i2c-hid/i2c-hid.c:602
      [<     inline     >] hid_hw_output_report include/linux/hid.h:1039
      [<ffffffc0012cc7a0>] hidraw_send_report+0x400/0x414 drivers/hid/hidraw.c:154
      [<ffffffc0012cc7f4>] hidraw_write+0x40/0x64 drivers/hid/hidraw.c:177
      [<ffffffc0004681dc>] vfs_write+0x1d4/0x3cc fs/read_write.c:534
      [<     inline     >] SYSC_pwrite64 fs/read_write.c:627
      [<ffffffc000468984>] SyS_pwrite64+0xec/0x144 fs/read_write.c:614
      Object at ffffffc07135ea80, in cache kmalloc-512
      Object allocated with size 268 bytes.
      Let's check data length against the buffer size before attempting to copy
      data over.
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarDmitry Torokhov <dtor@chromium.org>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
  9. 10 Mar, 2016 2 commits
  10. 30 Dec, 2015 1 commit
    • Mika Westerberg's avatar
      HID: i2c-hid: Prevent sending reports from racing with device reset · 9a327405
      Mika Westerberg authored
      When an i2c-hid device is resumed from system sleep the driver resets
      the device to be sure it is in known state. The device is expected to
      issue an interrupt when reset is complete.
      This reset might take few milliseconds to complete so if the HID driver
      on top (hid-rmi) starts to set up the device by sending feature reports
      etc. the device might not issue the reset complete interrupt anymore.
      Below is what happens to touchpad on Lenovo Yoga 900 during resume from
      system sleep:
        [   24.790951] i2c_hid i2c-SYNA2B29:00: i2c_hid_hwreset
        [   24.790973] i2c_hid i2c-SYNA2B29:00: i2c_hid_set_power
        [   24.790982] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: cmd=22 00 00 08
        [   24.793011] i2c_hid i2c-SYNA2B29:00: resetting...
        [   24.793016] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: cmd=22 00 00 01
      Here i2c-hid sends reset command to the touchpad.
        [   24.794012] i2c_hid i2c-SYNA2B29:00: input: 06 00 01 00 00 00
        [   24.794051] i2c_hid i2c-SYNA2B29:00: i2c_hid_set_or_send_report
        [   24.794059] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command:
                       cmd=22 00 3f 03 0f 23 00 04 00 0f 01
      Now hid-rmi puts the touchpad to correct mode by sending it a feature
      report. This makes the touchpad not to issue reset complete interrupt.
        [   24.796092] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: waiting...
      i2c-hid starts to wait for the reset interrupt to trigger which never
        [   24.798304] i2c_hid i2c-SYNA2B29:00: i2c_hid_set_or_send_report
        [   24.798313] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command:
                       cmd=25 00 17 00 09 01 42 00 2e 00 19 19 00 10 cc 06 74 04 0f
                           19 00 00 00 00 00
      Yet another output report from hid-rmi driver.
        [   29.795630] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: finished.
        [   29.795637] i2c_hid i2c-SYNA2B29:00: failed to reset device.
      After 5 seconds i2c-hid driver times out.
        [   29.795642] i2c_hid i2c-SYNA2B29:00: i2c_hid_set_power
        [   29.795649] i2c_hid i2c-SYNA2B29:00: __i2c_hid_command: cmd=22 00 01 08
        [   29.797576] dpm_run_callback(): i2c_hid_resume+0x0/0xb0 returns -61
        [   29.797584] PM: Device i2c-SYNA2B29:00 failed to resume: error -61
      After this the touchpad does not work anymore (and also resume itself
      gets slowed down because of the timeout).
      Prevent sending of feature/output reports while the device is being
      reset by adding a mutex which is held during that time.
      Reported-and-tested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reported-by: default avatarNish Aravamudan <nish.aravamudan@gmail.com>
      Suggested-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
  11. 19 Nov, 2015 1 commit
  12. 29 Sep, 2015 1 commit
  13. 18 Aug, 2015 1 commit
  14. 08 Jul, 2015 1 commit
  15. 03 Jun, 2015 1 commit
  16. 18 May, 2015 1 commit
  17. 23 Apr, 2015 1 commit
  18. 24 Feb, 2015 1 commit
  19. 23 Feb, 2015 1 commit
  20. 17 Feb, 2015 1 commit
  21. 17 Dec, 2014 1 commit
    • Mika Westerberg's avatar
      HID: i2c-hid: Do not free buffers in i2c_hid_stop() · 5b44c53a
      Mika Westerberg authored
      When a hid driver that uses i2c-hid as transport is unloaded, the hid core
      will call i2c_hid_stop() which releases all the buffers associated with the
      device. This includes also the command buffer.
      Now, when the i2c-hid driver itself is unloaded it tries to power down the
      device by sending it PWR_SLEEP command. Since the command buffer is already
      released we get following crash:
       [   79.691459] BUG: unable to handle kernel NULL pointer dereference at           (null)
       [   79.691532] IP: [<ffffffffa05bc049>] __i2c_hid_command+0x49/0x310 [i2c_hid]
       [   79.693467] Call Trace:
       [   79.693494]  [<ffffffff810424e1>] ? __unmask_ioapic+0x21/0x30
       [   79.693537]  [<ffffffff81042855>] ? unmask_ioapic+0x25/0x40
       [   79.693581]  [<ffffffffa05bc35b>] ? i2c_hid_set_power+0x4b/0xa0 [i2c_hid]
       [   79.693632]  [<ffffffffa05bc3cf>] ? i2c_hid_runtime_resume+0x1f/0x30 [i2c_hid]
       [   79.693689]  [<ffffffff814c08fb>] ? __rpm_callback+0x2b/0x70
       [   79.693733]  [<ffffffff814c0961>] ? rpm_callback+0x21/0x90
       [   79.693776]  [<ffffffff814c0dec>] ? rpm_resume+0x41c/0x600
       [   79.693820]  [<ffffffff814c1e1c>] ? __pm_runtime_resume+0x4c/0x80
       [   79.693868]  [<ffffffff814b8588>] ? __device_release_driver+0x28/0x100
       [   79.693917]  [<ffffffff814b8d90>] ? driver_detach+0xa0/0xb0
       [   79.693959]  [<ffffffff814b82cc>] ? bus_remove_driver+0x4c/0xb0
       [   79.694006]  [<ffffffff810d1cfd>] ? SyS_delete_module+0x11d/0x1d0
       [   79.694054]  [<ffffffff8165f107>] ? int_signal+0x12/0x17
       [   79.694095]  [<ffffffff8165ee69>] ? system_call_fastpath+0x12/0x17
      Fix this so that we only free buffers when the i2c-hid driver itself is
      Fixes: 34f439e4
       ("HID: i2c-hid: add runtime PM support")
      Reported-by: default avatarGabriele Mazzotta <gabriele.mzt@gmail.com>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
  22. 12 Dec, 2014 1 commit
  23. 04 Dec, 2014 1 commit
  24. 25 Nov, 2014 1 commit
  25. 18 Nov, 2014 1 commit
  26. 29 Jul, 2014 1 commit
  27. 13 May, 2014 1 commit
  28. 14 Mar, 2014 1 commit
  29. 17 Feb, 2014 4 commits
  30. 03 Feb, 2014 1 commit
  31. 30 Jan, 2014 1 commit
    • Mika Westerberg's avatar
      HID: i2c-hid: add runtime PM support · 34f439e4
      Mika Westerberg authored
      This patch adds runtime PM support for the HID over I2C driver. When the
      i2c-hid device is first opened we power it on and on the last close we
      power it off. This is actually what the driver is already doing but in
      addition it allows subsystems, like ACPI power domain to power off the
      device during runtime PM suspend, which should save even more power.
      The implementation is not the most power efficient because it needs some
      interaction from the userspace (e.g close the device node whenever we are
      no more interested in getting events), nevertheless it allows us to save
      some power and works with devices that are not wake capable.
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
  32. 05 Jan, 2014 1 commit
  33. 25 Nov, 2013 1 commit